New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 651097 link

Starred by 1 user
Status: Assigned
Owner:
chowse@chromium.org
Last visit > 30 days ago
Cc:
dgozman@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Feature



Sign in to add a comment

Local Resource Load

Reported by rohitk0...@gmail.com, Sep 28 2016 
UserAgent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36

Steps to reproduce the problem:
1.Open below url
2. data:text/html,<iframe src="chrome://">
3. 

What is the expected behavior?
Security message should be displayed

What went wrong?
No security message is generated

Did this work before? N/A 

Chrome version: 53.0.2785.116  Channel: stable
OS Version: 10.0
Flash Version: Shockwave Flash 23.0 r0

Comment 1 by elawrence@chromium.org, Sep 28 2016

Labels: Needs-Feedback
Can you please add a screenshot, and explain what message you expect to see, and where? 

When I try this repro, the disallowed subframe is not loaded. When using the exact URL above, there's no error message in the DevTools console. If I change the URL to something that actually exists, e.g.

   data:text/html,<iframe src="chrome://crashes">

... the console shows: Not allowed to load local resource: chrome://crashes/

It's not clear that this is a security bug.

Comment 2 by rohitk0...@gmail.com, Sep 29 2016 

Yes, I mean by message in dev tools

Comment 3 by tsepez@chromium.org, Oct 5 2016

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Needs-Feedback Type-Feature
Owner: dgozman@chromium.org
Status: Assigned (was: Unconfirmed)
Not a security bug per-se, since nothing is loaded and exploitation isn't possible, but rather a functional one as it would be nice if it gave a message.

Comment 4 by dgozman@chromium.org, Oct 5 2016

Cc: dgozman@chromium.org
Owner: chowse@chromium.org
Over to Chris for UI ideas.

Comment 5 by chowse@chromium.org, Oct 7 2016 

What exactly is meant by a "security message" here? Is this a different type of console message (vs. error or warning)? Can you provide a similar example used elsewhere in Chrome or DevTools?

Sign in to add a comment